HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

Slides:

Advertisements

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

INTEGRATING NETWORK CRYPTOGRAPHY INTO THE OPERATING SYSTEM BY ANTHONY GABRIELSON HAIM LEVKOWITZ Mohammed Alali | CS – Dr. RothsteinSummer 2013.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

File Transfer Protocol (FTP)

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

SSH Secure Login Connections over the Internet

Basic Concepts of Computer Networks

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Session 11: Security with ASP.NET

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Masud Hasan Secue VS Hushmail Project 2.

An Analysis of IMAP Security CMPE 209 Presented By Divya Panchal Bepsy Paul Menachery.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.

SSH and SSL CIT304 University of Sunderland Harry R. Erwin, PhD.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Nov 1, 2000Site report DESY1 DESY Site Report Wolfgang Friebel DESY Nov 1, 2000 HEPiX Fall

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

Lesson 34: Web Site Publishing and Maintenance. Objectives Perform site testing Use a staging/mockup server to test a site Compare in-house Web site hosting.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.

Public Key Encryption.

Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

Kerberos 5 for DESY Wolfgang Friebel. Sep 20, Useful URL’s K5 protocol: FAQ:

Web Services Security Patterns Alex Mackman CM Group Ltd

File Transfer And Access (FTP, TFTP, NFS). Remote File Access, Transfer and Storage Networks For different goals variety of approaches to remote file.

 authenticated transmission  secure tunnel over insecure public channel  host to host transmission is typical  service independent WHAT IS NEEDED?

KERBEROS SYSTEM Kumar Madugula.

JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Securing Access to Data Using IPsec Josh Jones Cosc352.

1 E-cash Model Ecash Bank Client Wallet Merchant Software stores coins makes payments accepts payments Goods, Receipt Pay coins sells items accepts payments.

1 Example security systems n Kerberos n Secure shell.

– Protocols 21 – Protocols 21. – Protocols 21 Now we’ll move on to more technical aspects of This means protocols Remember.

Application Layer instructors at St. Clair College in Windsor, Ontario for their slides. Special thanks to instructors at St. Clair College in Windsor,

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.

Virtual Private Network (VPN)

Remote Access Lecture 2.

How data travels through a network The Internet

Welcome To : Group 1 VC Presentation

File Transfer Protocol

CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN

APACHE WEB SERVER.

On the off chance that your business utilizes Roadrunner as your Internet specialist organization, you will have at least one accounts. While you.

MESSAGE ACCESS AGENT: POP AND IMAP

Presentation transcript:

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY

HEPNT/HEPiX meeting Oct 6, Motivation  User authentication at our site is based on Kerberos  Nearly all services made Kerberos aware (xdm, ftp,...)  IMAP4 with the UW imapd was not kerberized  Clear text passwords were sent for imapd auth  Had to maintain UNIX passwords because of imapd

HEPNT/HEPiX meeting Oct 6, Goals Stay with the present imapd server (UW) Get rid of clear text passwords by using imapd with SSL: u encrypting the communication Get rid of UNIX passwords by using imapd with Kerberos: u check password against Kerberos or u sending encrypted data to authenticate

HEPNT/HEPiX meeting Oct 6, Solution 1: Authentication with Kerberos Make use of the PAM support on several platforms  link imapd including the pam library Advantages:  no source code modification required  encrypted UNIX password no longer needed Disadvantage:  Passwords go in clear over the line

HEPNT/HEPiX meeting Oct 6, Solution 2: Making imapd Kerberos aware  imapd / pine comes with client side Kerberos support  server side support added by Michael Matz  compiled pine and imapd with Kerberos authenticator Advantage:  no password required with valid token Disadvantages:  Clear password transmission without valid token  no other Kerberos aware clients except pine

HEPNT/HEPiX meeting Oct 6, Solution 3: Accepting SSL connections  Made imapd SSL aware by replacing the socket read and write calls (recipe by Andy Polyakov,  Separate server listening on port 993  Is known to work at least on Solaris  Requires a certificate authority Advantages:  works with Netscape, Internet explorer  no longer any clear text passwords Disadvantages :  lacking SSL support in pine, wrapper required  speed, whole session gets encrypted

HEPNT/HEPiX meeting Oct 6, Alternate solutions for SSL support  Use unmodified imapd and unmodified clients with available wrappers, e.g: u stunnel u bjorb u wrapssl Advantage:  ease of installation Disadvantage:  Wrappers (daemons) required on each host

HEPNT/HEPiX meeting Oct 6, Our final solution: Kerberos and SSL  Two running servers: u kerberized imapd on port 143 u SSL aware kerberized imapd on port 993  Kerberos aware client: pine  SSL aware clients: Netscape and Internet Explorer  pine made SSL aware by Michael Matz (9/99)

HEPNT/HEPiX meeting Oct 6, Conclusions  Reached our goals  Kerberized imapd used at Zeuthen since 8/99  Hamburg will follow, if test phase successful  SSL aware pine (pinessl or spine) comes next  Patches available

HEPNT/HEPiX meeting Oct 6, Resources  imapd with SSL:  pine with SSL: ftp://ftp.ifh.de/pub/unix/mail/pine4.10-ssl.diff.gz  kerberized imapd: ftp://ftp.ifh.de/pub/unix/mail/imap-4.6-kerberos.diff.tgz  stunnel:  bjorb: